We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Investment Platform with 2 Factor Authentication
Options
Comments
-
Thanks, I should clarify: 2FA is more convenient than random password character keys and when implemented as a mobile phone application.
Random password character keys, e.g. enter 1st, 5th and 13th characters, have become almost standard for finance applications in my experience. My bank, trading platform and investment account all use them. In order to figure out which characters they want I have to cross reference against the password and select from a drop-down menu. It is a tedious, slow, process if you have a secure password. Moreover it is insecure in that the decoding process means that the platform have not stored the password with a one-way encryption algorithm and so it may be readable to internal staff.
Mobile phone applications, like RSA SecurID and Google Authenticator are fairly simple to use and available on multiple platforms (Apple, Android, Windows). Select the App, get a code, key in the code and the job is done. Technically these use Time-based One-time Password Algorithms (TOTP) based on an open standard. Checkout the wikipedia entry for more details.
Yes, there are still vulnerabilities. The only secure computer is not connected to anything and stored, switched off, in a locked room. But at least 2FA is step in the right direction.0 -
With a number of bank accounts I've seen lots of different security methods applied some a lot better than others.
I wonder if more traditional fraud is still more likely, so paper based address changes etc.Remember the saying: if it looks too good to be true it almost certainly is.0 -
I also wish an investment platform offered proper security (and no, password and pin or whatever is not proper security).
Emailing on a new device login is not bad but I wish for RSA token implementation. I don't think there is a platform open to UK users that offers this however. I think Fidelity in the USA are trialling RSA tokens for some customers. Banks in the UK are not much better.0 -
How passwords are stored so that random characters are checkable also worries me, but with a little thought secure passwords can be devised so that the individual characters are easily memorable with no need to write them down (once memorized).
Having to use a mobile phone app, or receive a text, would be a deal-breaker for me though, as I do not have or want a mobile phone.Eco Miser
Saving money for well over half a century0 -
It's easy to say this scenario is just like holding a savings account with linked current account, but I think something an aspect of sharedealing platforms that could easily be overlooked in this discussion is the ability for someone to maliciously gamble away your money placing trades. That makes these accounts quite different to savings accounts where the worst they could do is move your money to your own linked current account.
It is likely to be more of a fringe situation, as nobody could financially gain from doing the above. But it is a plausible scenario for a targeted revenge-based attack, for example. That might lend some weight to the argument that two factor should at least be offered to those people wanting to adopt it.
Perhaps the cost of reimbursing customers falls below the cost of implementing such additional security?0 -
Perhaps the cost of reimbursing customers falls below the cost of implementing such additional security?
I don't know about that, but I would be very willing to foot a portion of the cost to get a token on my account.
For what its worth (and I know there are some sort of regulations on this in the UK but I dont know exactly what they are). Fidelity have a section on their USA website that says any losses due to unauthorised activity will be refunded. I queried this with UK customer support and was told it did not apply to UK customers.0 -
I imagine you wouldn't be alone in being willing to pay towards the cost of a token. It was a long time ago, but IIRC I paid a nominal sum to obtain my Verisign token I use with paypal/ebay and I would consider someone gaining access to my investment accounts far, far higher impact.InvestInPoker wrote: »I don't know about that, but I would be very willing to foot a portion of the cost to get a token on my account.0 -
-
How passwords are stored so that random characters are checkable also worries me,
hopefully as a hash for obvious reasons.
Whilst I agree about convenience vs security, the fact that a games platform has 2fa says quite a lot....
https://eu.battle.net/support/en/article/battlenet-authenticator
These platforms don't have years of savings / investments yet they see the need for virtual gold! (I know there as temporarily real cash in that system as well)0 -
First Direct share trading requires that the trader logs into online banking with a code generated by a Secure Key device or app.0
... 
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards